Join Mike Chapple for an in-depth discussion in this video Understanding authorization, part of CompTIA Security+ Exam Prep (SY0-401): Access Control and Identity Management.
- View Offline
- Authorization is the final step in the access control process. Once an individual successfully authenticates to a system, authorization determines the privileges that individual has to access resources and information. There are many different authorization approaches and we'll discuss those in this course. First, let's talk about two general principles of authorization that lead to strong security. First, the principle of least privilege. This principle states that an individual should have only the minimum set of permissions necessary to accomplish his or her job duties.
Least privileges are important for two reasons. First, lease privilege minimizes the potential damage from an insider attack. If an employee turns malicious, the damage they can cause will be limited by the privileges assigned to them by job role. It's unlikely for example, that an accountant would be able to deface the company website, because an accountant's job responsibilities have nothing to do with updating web content. Second, least privilege limits the ability of an external attacker to quickly gain priviledged access when compromising an employee's account.
Unless they happen to compromise a system administrator's account, they will find themselves limited by the privileges of the account that they steal. The second important principle is separation of duties. This principle states that sensitive business functions should require the involvement of at least two people. This reduces the likelihood of fraud by requiring collusion between two employees to commit fraud. One common example of separation of duties is found in accounting departments.
One way that employees might steal funds from the organization is to set up fake vendors in the system and then issue checks to those vendors for services that were never rendered. To prevent this, organizations typically separate the ability to set up a new vendor and issue a check to that vendor and say that no employee should ever have both of those privileges. Organizations must watch out for privilege creep when trying to follow the principles of least privilege and separation of duties. Privilege creep occurs when users change from one job to another and gain new privileges associated with their new responsibilities, but never lose the privileges from the job that they left.
Over time, an employee who moves around from role to role may gain substantial privileges in this way. Consider the example of Alice. Alice starts as a clerk in the accounting department, where she is responsible for issuing checks to vendors. There, she has the issue check privilege. After a few years, Alice receives a promotion to a supervisory accountant position and gains responsibility for setting up new vendors in the system. Nobody ever takes away her old privileges.
Alice now has the ability to both set up a new vendor and issue checks. A violation of both least privilege and separation of duties. Organizations looking to preserve the principles of least privilege and separation of duties should perform regular account reviews. These may come in both manual and automated forms. For example, an automated process might run every time a user is granted new privileges to ensure that the new privileges won't violate any separation of duties requirements.
The organization might supplement these automated checks with quarterly access reviews where managers manually review the permissions assigned to each employee for compliance with the principle of least privilege. Maintaining authorization systems is a critical task for security professionals. The security plus exam might contain a question asking you to review a scenario and describe what authorization principle is described. Be sure to know the difference between least privilege and separation of duties, so that you're ready for those exam questions.
Author Mike Chapple, an IT leader with over 15 years experience, introduces identification methods such as usernames and biometrics, as well as authentication methods to verify users, including multifactor authentication, password authentication, and single sign-on. He also discusses authorization concepts such as mandatory and discretionary access controls, which can help you restrict access to sensitive parts of your network. The course also covers best practices for ongoing account management, such as establishing a good password policy, managing user roles, and monitoring accounts, and what to do when you need to suspend or terminate access.
NOTE: We are now a CompTIA Content Publishing Partner. Our training prepares members to pass CompTIA certification exams and become qualified IT professionals. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Setting policies for usernames and access cards
- Implementing biometrics
- Combining authentication factors for multifactor authentication
- Using a Kerberos access control system
- Using access control lists such as Windows NTFS file permissions
- Role-based authorization
- Implementing account and password policies